When using SAML SSO, GitLab creates a user account with a placeholder email address
Summary
GitLab will create a user account with a random email format when SAML SSO is configured on GitLab.com.
The claims on the idP must be configured a specific way:
- The username claim must return a value that does not contain an
@
symbol - The email claim must be invalid (anything other than
mail
oremail
in the SAML response)
When the above is true and a user signs in, GitLab provisions a new account and gives the account an email address of temp-email-for-oauth-<user-name>@gitlab.com
.
Steps to Reproduce
- Set up SAML SSO on GitLab.com
- Configure the IdP such that:
- The username claim returns a value without an "@" symbol
- The email claim is invalid (doesn't include
mail
oremail
in the SAML response)
- Attempt to sign in with the configured IdP
- GitLab provisions a new account and gives the account an email address of
temp-email-for-oauth-<user-name>@gitlab.com
- GitLab provisions a new account and gives the account an email address of
Example Group and user
The Group is gitlab.com/ag-saml. The GitLab user account created with a random email is: https://gitlab.com/Atest3420405 (admin access required)
What is the current bug behavior?
GitLab creates a user account using a random email address.
What is the expected correct behavior?
Since the email attribute is stated as required in our documentation, GitLab should reject the SAML response as it cannot find the email address.
A new user account should not be created with a randomised email address.